Angel Pons has uploaded this change for review.

View Change

dummyflasher.c: Prevent use-after-free bug

The memory for the `status` string is aliased by the `endptr` pointer.
Moreover, `errno` could have been modified by the call to `free()`.
Therefore, only free the former when there are no more uses of either.

Change-Id: I1b56834004fe18918213a7df0a09a8a7ecb56985
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
---
M dummyflasher.c
1 file changed, 2 insertions(+), 1 deletion(-)

git pull ssh://review.coreboot.org:29418/flashrom refs/changes/09/54909/1

diff --git a/dummyflasher.c b/dummyflasher.c
index 78f3837..5109483 100644
--- a/dummyflasher.c
+++ b/dummyflasher.c
@@ -973,12 +973,13 @@
 		char *endptr;
 		errno = 0;
 		data->emu_status = strtoul(status, &endptr, 0);
-		free(status);
 		if (errno != 0 || status == endptr) {
+			free(status);
 			msg_perr("Error: initial status register specified, "
 				 "but the value could not be converted.\n");
 			return 1;
 		}
+		free(status);
 		msg_pdbg("Initial status register is set to 0x%02x.\n",
 			 data->emu_status);
 	}

To view, visit change 54909. To unsubscribe, or for help writing mail filters, visit settings.